Android has major security vector with SMS/MMS prefetch

The blog is currently being ported from WordPress to over 12 years of static pages of content. If there's an article missing that you're hoping to see, please contact me and let me know and I'll prioritize getting it online.

July 31, 2015

A security vector was found, called StageFright, sent through a malicious video, and gives the attacker access to your device, including storage rights, microphone access, and copying data such as passwords. Because the default action of Hangouts and Android’s stock SMS app was to pre-fetch the videos (thereby processing them ahead of time for you), you could be vulnerable without even knowing it.

It was blogged about several times, here are just a few:

If you’re on Android and use Hangouts for SMS/MMS, follow these steps to protect yourself from the Android security bug about prefetching MMS:

  • In Hangouts, tap on the top left icon (the horizontal lines)
  • go into Settings
  • pick “SMS” at the bottom of the list
  • Scroll down and look for the setting that says “Auto retrieve MMS” and remove the checkmark.

In the stock Android SMS app, a similar setting can be found here: Settings –> Advanced –> Auto-retrieve